Product safety and IoT: European Commission orders recall over data security failings

• United Kingdom

• Other
• Industrial engineering
• Industrials
• Technology, Media and Telecoms

08-02-2019

The market for wearable tech is huge and growing, driven by new wellness applications and improved connectivity. Add to that the increasing number of new IoT devices and applications in the home, workplace and industry, and the opportunities both for new and established product manufacturers are easy to see. However, there are new, significant risks that businesses also need to consider fully as they bring a new product to market.

Product manufacturers are well-aware of their duty to only place on the market products which are “safe” for consumers. They are used to carrying out safety assessments regarding physical risks to consumer safety, and they are conscious of the product liability risk they face should they get it wrong. But as consumers increasingly expect products to be smart, permanently connected to the Internet while collecting and sharing consumer data in increasingly sophisticated ways, manufacturers are exposed to product liability risk in areas they may never before have thought to consider.

In the latest example of this growing product liability risk, the European Commission (“Commission”) has issued a RAPEX notice identifying a product as posing “serious” risk to consumers and notifying a Europe-wide recall, not because the Commission believes that the product poses any physical risk to consumer safety, but because the Commission believes that the product does not adequately protect consumers’ data and privacy, and therefore created a potential security concern for children.

The product is an Internet-connected smartwatch, intended to be worn by children, which gives parents the ability to track their child’s location using a companion smartphone app and to make calls to their child through the watch. The Commission concluded that the device did not comply with the Radio Equipment Directive, with the RAPEX notice identifying a number of concerns regarding the security of the data tracked by the product and/or its companion app, including that “the mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data” and that “as a consequence the data such as location history, phone numbers, and serial number can easily be retrieved and changed.” The notice also identifies that a malicious user could “send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.”

To our knowledge, this is the first time that a RAPEX notice has been issued in respect of a product on the basis of concerns over data privacy and security. We very much doubt it will be the last.

As consumer demand for wearable tech and connected devices continues to grow, the potential product liability risks will only grow (risks we discussed in our recent “Future Fight Club” video). The lesson for manufacturers is clear: a more holistic approach to regulatory risk is required, including product liability, data privacy and security, and communications regulation. Any product liability risk assessment in respect of a connected consumer product which does not include an assessment of software and firmware security and data security standards may put manufacturers at significant risk.